Fix issue with octavia security group rules creation

This patch fixing issue with octavia security group rules creation when using IPv6 configuration for octavia management network. Closes-Bug: #2023502 Change-Id: I3f8fbb0632ec6ecdc9f3820ebbcf01480de59e1f
2023-06-12 00:19:19 +02:00 · 2023-06-12 00:19:19 +02:00 · f1bb97dd85
commit f1bb97dd85
parent e637978e26
3 changed files with 30 additions and 1 deletions
--- a/ansible/roles/octavia/defaults/main.yml
+++ b/ansible/roles/octavia/defaults/main.yml
@ -305,7 +305,7 @@ octavia_amp_security_groups:
    name: "lb-mgmt-sec-grp"
    enabled: true
    rules:
-      - protocol: icmp
+      - protocol: "{{ 'ipv6-icmp' if octavia_network_address_family == 'ipv6' else 'icmp' }}"
      - protocol: tcp
        src_port: 22
        dst_port: 22
@ -353,6 +353,10 @@ octavia_amp_network:
 # Octavia management network subnet CIDR.
 octavia_amp_network_cidr: 10.1.0.0/24

+octavia_amp_router:
+  name: lb-mgmt-router
+  subnet: "{{ octavia_amp_network['subnet']['name'] }}"
+
 # Octavia provider drivers
 octavia_provider_drivers: "amphora:Amphora provider{% if neutron_plugin_agent == 'ovn' %}, ovn:OVN provider{% endif %}"
 octavia_provider_agents: "amphora_agent{% if neutron_plugin_agent == 'ovn' %}, ovn{% endif %}"
--- a/ansible/roles/octavia/tasks/prepare.yml
+++ b/ansible/roles/octavia/tasks/prepare.yml
@ -88,6 +88,7 @@
      protocol: "{{ item.1.protocol }}"
      port_range_min: "{{ item.1.src_port | default(omit) }}"
      port_range_max: "{{ item.1.dst_port | default(omit) }}"
+      ethertype: "IPv{{ octavia_network_address_family[-1] }}"
  with_subelements:
    - "{{ octavia_amp_security_groups }}"
    - rules
@ -141,3 +142,20 @@
      ipv6_ra_mode: "{{ octavia_amp_network['subnet']['ipv6_ra_mode'] | default(omit) }}"
  run_once: True
  delegate_to: "{{ groups['octavia-api'][0] }}"
+
+- name: Create loadbalancer management router for IPv6
+  become: true
+  kolla_toolbox:
+    container_engine: "{{ kolla_container_engine }}"
+    module_name: openstack.cloud.router
+    module_args:
+      auth: "{{ octavia_user_auth }}"
+      cacert: "{{ openstack_cacert }}"
+      endpoint_type: "{{ openstack_interface }}"
+      region_name: "{{ openstack_region_name }}"
+      state: present
+      name: "{{ octavia_amp_router['name'] }}"
+      interfaces: "{{ octavia_amp_router['subnet'] }}"
+  run_once: True
+  when: octavia_network_address_family == "ipv6"
+  delegate_to: "{{ groups['octavia-api'][0] }}"
--- a/releasenotes/notes/bug-2023502-68acc8637510cb22.yaml
+++ b/releasenotes/notes/bug-2023502-68acc8637510cb22.yaml
@ -0,0 +1,7 @@
+---
+fixes:
+  - |
+    Fix issue with octavia security group rules creation when using
+    IPv6 configuration for octavia management network.
+    See `LP#2023502 <https://bugs.launchpad.net/kolla-ansible/+bug/2023502>`__
+    for more details.